Exploring Sparsity and Smoothness of Arbitrary $\ell_p$ Norms in Adversarial Attacks

TL;DR

This work systematically analyzes how the choice of the $\ell_p$ norm, for $p\in[1,2]$, shapes the sparsity and smoothness of adversarial perturbations across diverse CNN and transformer architectures and multiple image datasets. It introduces two smoothness measures based on smoothing operations and a Taylor-approximation based measure, alongside two established sparsity metrics (Gini index and Hoyer measure), and presents a framework to identify the optimal $p$ by normalizing these measures and maximizing their joint score. Empirically, the authors find that the conventional choices $p=1$ and $p=2$ are suboptimal for jointly favorable sparsity and smoothness, with the best $p$ typically around $1.3$ for CNNs and $1.4$–$1.5$ for transformers; adversarial training further shifts the optimal $p$ upward and reduces sparsity susceptibility. The findings emphasize the need for principled norm selection when evaluating adversarial perturbations, offering practical guidance for generating perturbations with desirable sparsity-smoothness trade-offs and enabling more informative cross-model comparisons.

Abstract

Adversarial attacks against deep neural networks are commonly constructed under $\ell_p$ norm constraints, most often using $p=1$, $p=2$ or $p=\infty$, and potentially regularized for specific demands such as sparsity or smoothness. These choices are typically made without a systematic investigation of how the norm parameter \( p \) influences the structural and perceptual properties of adversarial perturbations. In this work, we study how the choice of \( p \) affects sparsity and smoothness of adversarial attacks generated under \( \ell_p \) norm constraints for values of $p \in [1,2]$. To enable a quantitative analysis, we adopt two established sparsity measures from the literature and introduce three smoothness measures. In particular, we propose a general framework for deriving smoothness measures based on smoothing operations and additionally introduce a smoothness measure based on first-order Taylor approximations. Using these measures, we conduct a comprehensive empirical evaluation across multiple real-world image datasets and a diverse set of model architectures, including both convolutional and transformer-based networks. We show that the choice of $\ell_1$ or $\ell_2$ is suboptimal in most cases and the optimal $p$ value is dependent on the specific task. In our experiments, using $\ell_p$ norms with $p\in [1.3, 1.5]$ yields the best trade-off between sparse and smooth attacks. These findings highlight the importance of principled norm selection when designing and evaluating adversarial attacks.

Figures (4)

• Figure 1: Adversarially examples images for ResNet-18 and Flowers102. Columns (left to right):$\ell_p$ norm constraint, original image, adversarial image, and perturbation $\delta$. Rows (top to bottom): increasing values of $p \in \{1.00, 1.01, 1.10, 1.20, 1.40, 1.60, 1.80, 2.00\}$. White pixels in $\delta$ denotes zero-valued entries.
• Figure 2: Mean sparsity and smoothness as a function of $p$ averaged over all models and datasets. The curves are normalized independently per measure, model and dataset to the interval $[0,1]$ to enable comparison across measures. Sparsity measures are defined in Section \ref{['subsec:sparse']} and smoothness measures in Section \ref{['sec:smooth']}.
• Figure 3: Optimal values of $p$ maximizing sparsity and smoothness. Dots indicate the mean optimal value and error bars the standard deviation; individual runs are shown as crosses. Blue denotes attacks against normally trained models and red denotes attacks against adversarially trained models.
• Figure 4: $\ell_0$ sparsity of adversarial pertubations $\delta$ normalized by image size, shown as percentage of non-zero pixels. Mean and std given by dot and error bar, individual data points are represented as crosses. Blue denotes attacks against normally trained models and red denotes attacks against adversarially trained models.